Researchers have been monitoring a new botnet as it gains significant strength across the globe, currently affecting upwards of 500,000 unique devices. Using a multi-step process, VPNFilter can access the command and control server to begin gathering and sending data, along with allowing remote code execution. Unfortunately, it is nearly impossible to detect VPNFilter, as it remains relatively hidden while running its processes.
The stage 1 malware’s main task is to persist through reboots and to discover the IP address of the current stage 2 deployment server.
The stage 2 malware is downloaded from those servers (one of which has been seized by the FBI) and is capable of collecting files, exfiltrating data, managing the device and executing code on it.
Some versions also have the capability to overwrite a critical portion of the device’s firmware and reboot the device, effectively rendering it unusable. Although, as the researchers pointed out, it’s more than likely that the threat actor running the botnet can deploy this self-destruct command to most devices that they control.
The stage 3 modules are effectively plugins for the stage 2 malware. One can sniff and collect traffic that passes through the device (including website credentials), another allows the malware to communicate with the C&C server via Tor. The researchers believe there are other plugins, but so far they’ve only been able to discover and analyze those two.